Microsoft’s Edge web browser comes with a hidden whitelist that allows Facebook to bypass the built-in click-to-play security policy to autorun Flash content without having to ask for user consent. The current version of the previously secret Edge whitelist will only allow Facebook to circumvent the policy on its www.facebook.com and apps.com domains, a policy which is currently enforced for all other domains not present on this list. The issue was partially addressed by Microsoft during this month’s Patch Tuesday by trimming the whitelist down to the two Facebook domains.
Source: https://www.bleepingcomputer.com/news/security/microsoft-edge-secret-whitelist-allows-facebook-to-autorun-flash/